Hello,
I've searched on-line (IBM and other sites). But did not get a clear answer/steps.
My Requirement: use existing active directory accounts to login to AIX servers
Can you please give me some information on how to achieve this. How this Active Directory and AIX server integration works ?
what are the steps/procedure i need to follow to complete this ?
Thanks,
Aaaron
Aaaron,
it depends, what you understand under "integration". Do you need only authentication (passwords/users are the same in MSAD/AIX)? Do you need Single Sign-On (users are authenticated on AIX without password using their MSAD credentials)? Do you need automatic user replication from MSAD to AIX? Do you need MSAD groups and roles on AIX? Where do you want to store AIX-specific attributes, such as home directory, shell etc - in MSAD or on AIX? There are many questions to be answered first before the "integration". The way you go depends on this answers.
Thanks for your replies blackrageous & agent.kgb
I would like to store AIX specific attributes (home directory, shell etc) in AIX only.
But the users should be able to authenticate using their MSAD password.
they should be able to reset the password on their own. (just like for their work stations)
I just want to avoid USER administration (like creating/resetting users etc) from AIX side. But i(AIX admin) should be able to control access. (not all AD users can login)
Do we need to create AD group (and attach USERs, that need access) and integrate with AIX ?
please let me know how this works, and which approach is better for my scenario.
Thanks much for your time.
As for me it means, that you plan to use Kerberos authentication, but not LDAP features of MSAD. At least you don't want to change MSAD schema and it is good so.
I don't know a solution for password resetting in MSAD domain. afaik it is only possible from Windows workstation.
If you want to control access to your boxes, you have somehow to define, which users are allowed to access them. The easiest way imo is to define (create) users on AIX, which are authenticated in MSAD domain using Kerberos. If you don't want to create users on AIX, you move the responsibility somewhere else. E.g. you can create an MSAD group "AIX-Users" and bind LDAP client on AIX side to this group. Then all users, who belong to this group, receive automatically access to your AIX box. You don't control access to AIX anymore, but your helpdesk or Windows administrator does it. But at the same time the next problem arises - if you use LDAP, you have to store AIX user attributes in LDAP. In this case you may need to modify MSAD schema and that is bad. Almost all known by me Windows administrators are against it and they have good reasons for it. Or you may need to install a "proxy" LDAP server with AIX attributes, but then you have to replicate users from MSAD to the LDAP server. Not every enterprise allows it.
imho the easiest way to start is to configure kerberos client on AIX. You need AIX Expansion Pack or AIX Web Download Pack - I think, Kerberos client is in both packs. Next you have to install krb5.client.rte fileset -
installp -acgXYd /path/to/expansion/pack krb5.client.rte
and configure Kerberos, something like:
$ cat /etc/krb5.conf
[libdefaults]
default_realm = <YOUR_MSAD_DOMAIN_IN_BIG_LETTERS>
default_keytab_name = FILE:/etc/krb5/krb5.keytab
default_tkt_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc
default_tgs_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc
[realms]
<YOUR_MSAD_DOMAIN_IN_BIG_LETTERS> = {
kdc = <your_active_directory_controller>:88
admin_server = <your_active_directory_controller>:749 <-- it doesn't work in MS environment though ;-)
default_domain = <your_msad_domain_in_small_letters>
}
[domain_realm]
.<your-dns-domain> = <YOUR_MSAD_DOMAIN_IN_BIG_LETTERS>
[logging]
kdc = FILE:/var/krb5/log/krb5kdc.log
admin_server = FILE:/var/krb5/log/kadmin.log
default = FILE:/var/krb5/log/krb5lib.log
You have to check the file /usr/lib/security/methods.cfg, it should contain something like:
KRB5:
program = /usr/lib/security/KRB5
program_64 = /usr/lib/security/KRB5_64
options = authonly,tgt_verify=no,kadmind=no,is_kadmind_compat=no
KRB5files:
options = db=BUILTIN,auth=KRB5
Then you can create a user on AIX with standard mkuser command. The user name should be the same as in MSAD and it should have 2 special attributes - registry=KRB5files SYSTEM=KRB5files
After this the user should be able to login on AIX with his/her MSAD password.
Some notices:
Thank you for your time. I actually tried setting up in similar manner after i found some post on unix.com
but for some reason, it did not work. May be i missed something. please see the error below.
[root@aixlpar]/home/root>/usr/krb5/bin/kinit user7@domain.com
Unable to obtain initial credentials.
Status 0x96c73a44 - KRB5 error code 68.
[root@aixlpar]/home/root>/usr/krb5/bin/klist
Unable to get cache name (ticket cache: /var/krb5/security/creds/krb5cc_0).
Status 0x96c73ac3 - No credentials cache found.
I will look into it again. And i've looked at the above link (IBM ). not yet started.
It has the information about integrating Active directory with kerberos & LDAP as well.
I would like to go with Kerberos option for now. As this is a test server, i would like to test this out now.
please let me know if you've any suggestions.
---------- Post updated at 15:00 ---------- Previous update was at 14:55 ----------
adding info from my test server
[root@aixlpar]/home/root>cat /etc/krb5/krb5.conf
[libdefaults]
default_realm = domain.com
default_keytab_name = FILE:/etc/krb5/krb5.keytab
default_tkt_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc aes128-cts
default_tgs_enctypes = des3-cbc-sha1 arcfour-hmac aes256-cts des-cbc-md5 des-cbc-crc aes128-cts
[realms]
DOMAIN.COM = {
kdc = msadserver.domain.com:88
admin_server = msadserver.domain.com:749
default_domain = domain.com
}
[domain_realm]
.domain.com = DOMAIN.COM
msadserver.domain.com = DOMAIN.COM
[logging]
kdc = FILE:/var/krb5/log/krb5kdc.log
admin_server = FILE:/var/krb5/log/kadmin.log
kadmin_local = FILE:/var/krb5/log/kadmin_local.log
default = FILE:/var/krb5/log/krb5lib.log
/usr/lib/security/methods.cfg
KRB5A:
program = /usr/lib/security/KRB5A
options = authonly,tgt_verify=no,kadmind=no,is_kadmind_compat=no
KRB5Afiles:
options = db=BUILTIN,auth=KRB5A
You will need to create an AD user for that AIX machine.
Login initial with it to Windows and change the password (to any windows machine in domain), no need to load desktop.
Once you have the user operational, configure the user to it cannot change password and password never expires.
Then generate a kerberos keytab on domain controller (host keytab not HTTP) with ktpass for that user (representing your server), which you will copy as krb5.keytab to your AIX server.
Check NTP, AD and server should be in sync, or kerberos will fail to work.
Now, you should be able to do kinit user@DOMAIN to get a ticket and confirm it is working.
After that SSO should work (with putty or winscp) if user is defined on unix system and he is logged on to Windows domain.
I'm haven't worked with AIX in this regards, but this seems universal on all unix/linux systems.
Yes, you can create user and keytab file, but with the settings in methods.cfg above it works without keytab and the user too.
$ grep keytab /etc/krb5.conf
default_keytab_name = FILE:/etc/krb5/krb5.keytab
$ ls -l /etc/krb5/krb5.keytab
/etc/krb5/krb5.keytab not found
$ /usr/krb5/bin/kinit -f user
Password for user@DOMAIN:
Warning: Your password will expire in 5 days.
$ /usr/krb5/bin/klist
Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0
Default principal: user@DOMAIN
Valid starting Expires Service principal
04/30/15 11:21:06 04/30/15 21:21:08 krbtgt/DOMAIN@DOMAIN
Renew until 05/01/15 11:21:06
---------- Post updated at 11:27 AM ---------- Previous update was at 11:22 AM ----------
the only difference between what I posted and what you posted is the realm name. It must be in big letters -> DOMAIN.COM. Everything else should be ok.
Which versions of AIX and Windows do you have?
We've AIX 7.1 and windows (2012 I guess)
I will look into it and get back to this
Thanks for your response